Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X

from the we're-too-cool-for-details dept

Apple on Friday issued an update that fixed a rather severe vulnerability in their SSL/TLS implementation in iOS. In short, the flaw allowed any hacker the ability to intercept data during supposedly secure and encrypted transfers when using an iPhone, iPad or iPod Touch on a public network. Estimates suggest that the vulnerability was introduced in iOS 6.0 back in September 2012 (Apple was added as a PRISM partner in October 2012, utterly circumstantial but just sayin'). After some reverse engineering of the patch, people discovered it overhauled some fairly major portions of iOS.

The bigger problem is they discovered during that analysis it also impacts Apple laptops and desktops running Apple’s OS X (there's a few of those out there). The original bug existed for some time before being detected, and at the moment there's not only no fix in place for laptop and desktop users, but Apple hasn't issued any statements warning customers that everything they do at the coffee shop is potentially exposed.

Apple's only public comment was apparently to tell Reuters on Saturday that a fix was coming "very soon." There's a website that allows you to check whether the flaw has been fixed yet. Unsurprisingly, Apple is taking a lot of heat on numerous fronts for not doing more (read: anything) to help potentially impacted users:

"Did you seriously just use one of your platforms to drop an SSL 0day on your other platform? As I sit here on my mac I’m vulnerable to this and there’s nothing I can do, because you couldn’t release a patch for both platforms at the same time? You do know there’s a bunch of live, working exploits for this out in the wild right now, right? Your advisory is entirely focussed on iOS so we know nothing of OS X yet (other than the fact that the exploits work) – could you tell us what in OS X is vulnerable? Is mail.app vulnerable? Should I be worried about malicious SSL/TLS mailservers? How about your update system itself – is that vulnerable?"

Perhaps silence is sexier? iPhone and iPad users should obviously update their systems ASAP, and OS X users can supposedly protect themselves by using Chrome or Firefox and disabling background services (like Mail.app or iCloud) when wandering about on coffee shop Wi-Fi. Regardless, surely the NSA, other intelligence organizations, hackers and other n'er do wells looking to nab personal data greatly appreciate Apple's dead silence on the issue.

Who drops an SSL/TLS 0day on users at 4pm on a Friday, then spends the weekend saying a fix will be released "very soon"? Apple.

Apple Decides That Dead Silence Is The Best Way To Address Major Encryption Flaw On OS X

Any hacker?

My goodness. The breathlessness of the description of this vulnerability.

Any hacker is not the case here. To execute this attack you have to intercept traffic to a website, and spoof its CA certificate (although without correct key information - as that was what wasn't being checked).

Thats not to say that an attack couldn't be carried out by coordinated hackers who had prepared and targeted a public network being used to access a https secured site.

But attacking this vulnerability would not be trivial. Also, once an SSL session is setup with a legit sight, even with this bug, that session would be secure and free from eavesdropping.

The attack for this has to occur at SSL session configuration and handshake time. It is much harder to pull off than it is being claimed to be.

Re: Any hacker?

It actually would probably be pretty trivial to have a proxy that exploits this. You watch for requests to port 443, and when you get one you create your own separate connection to where ever they're going, except you act as the web server. Everything gets passed back and forth like normal, except that when you get the data from the real web server or the client, you can decrypt it, then re-encrypt and send it to the client or webserver. Log everything, and then scrape the logs for usernames and password.

But you need to have control over the target's network, which is where the difficulty is.

Step 2: Run a simple socket-level proxy on port 80 and 443. Watch traffic on any given device over port 80 until you see a user-agent go by (or just guess off the MAC address). Once you identify an Apple device, forge all SSL connections with a bogus cert. Log all headers and POST data. Maybe HTML returned from remote servers, too.

Re: Any hacker?

"Silence"

This is not the serious end of the world situation people are making it out to be. If you're actually worried that there is a hacker in the bushes behind your Starbucks specifically waiting for you,

A) Don't GoB) Use VPN when you get there (set it for all traffic)C) Don't use SafariD) Tether to your mobile device and connect that way.

Personally if it happens to be that big a deal for you, I'd go with A.

You have nothing to fear on your home network. You have nothing to fear on your work network, and seriously, if that is that big a problem for you, you shouldn't be on unprotected public networks to begin with!!!!

The chances of this thing actually harming you are far less than the typical FLASH Trojan.

The people bitching about this are just trying to get their names in the news. The amount of alarmist and panic, as usual, do a disservice rather than taking the opportunity to inform people.

Safe As Ever

Don't go out naked in public, don't use public wifi (cell phones, even iOS devices have DATA services), use a secured open-source browser without JAVA and wipe twice after you poop. Problem solved.

My experience has been excellent with Apple so far. No infections or viruses detected or known since the Mac Plus. And when a problem was discovered (Saturday) my iOs devices all let me know I should upgrade, which I did. My experience has not been so positive with Windows. I have lost count of the number of workstations I have had to wipe clean and reinstall due to malware and virii over the past 10 years. I'll never get those hours back. And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission.

Re: Safe As Ever

I second the AC up above, in that this is a stupid sentence"And meanwhile, Bill Gates, who overcharged for lousy software, is giving my money to people without my permission."Whether or not he overcharged or the quality of Windows, you still willingly gave Microsoft your money, at which point, whenever Gates's salary goes through at his bank, it becomes his money. He doesn't need your permission to do whatever the fuck he wants with his money.

Re: Safe As Ever

If your ego must insists that your so special that he is giving away your money you gave to him, then you could make yourself feel better and that small amount of money you gave to him fed and clothed one of his children, it was the other saps money that he gave away.

You could also save yourself some time writing such pointless posts and never buy another Microsoft product, or any product for that matter, that you feel is over priced again...wow, problem solved! wasnt that simple. Even though you have a big ego, it doesn't have much in the way of brains.

You are a perfect example of a applefan, thank you for reinforcing the egoistical ignorant stereotype that is a mac user..fucking hilarious

Re:

Exec 1: Okay people, we've got a bit of a situation here. A huge vulnerability in our OS has been made known, and the public is demanding answers.

Now, normally, this wouldn't be a big deal, just patch it and we'd be good, but it's come to our attention, strictly through 'unofficial' channels mind, that the NSA and a few other agencies have been using this exploit to gather intel and/or pass the time spying on people, and they'd probably be less than thrilled to have their backdoor access closed off like that.

However, if we don't patch it, we run the risk of angering people and potentially losing customers. Ideas?

Exec 2: Yeah, we're talking about people willing to shell out a couple hundred bucks on practically a yearly basis, just because we slapped a slightly higher number on our 'new and improved' iWhatever, and they absolutely must have the newest model, a 'piddly' security flaw like this will be nothing to them, and certainly not enough to keep them from buying our stuff.

Apple is a real innovator sometimes; they are also notoriously slow when it comes to patching of their flaws! Let’s face it all OS’s have flaws; I mean it is well documented in the NVD. Even embedded processing OS’s like VXworks, have issues.

However, read the report timeline on (CVE-2013-0984) Directory Service buffer overflow flaw and you will see a prime example of how Apple “handles” the security flaws in their products from both an “urgency” and “responsibility” perspective. Oh you say that was an old release? 2009 is old? Apple loves you folks, always willing to part with (much) more cash to get the latest Apple “thing”. Wait Apple has canned support for that OS right?? Why yes they did, you just didn’t hear about it until it was a done deal…again typical Apple!! But wait Apple has given you access to their new and improved OS X 10.9.2 (Mavericks) for FREE…and it fixes the ‘gotofail’ bug we are talking about!!! Yeah for Apple!! Wait…hold the press… there have already been CVE’s (yes plural) reported for it…DANG it now what?!? Hey I know, let’s all just take an Apple approach to problems and just pretend they don’t exist until there is no longer any way to hide them. That will work, I mean I’m sure Apple keeps quiet about this stuff so the bad guys don’t find out…Oh you mean the bad guys have the same access to the PUBLIC database of security flaws that sometimes include proof of concept code, or at least a technical description of the attack?!?

But in all seriousness IF you hold a job (Security related) that includes infrastructure decisions and you recommend anything Apple, then I must say you should look for another job; because let’s face it you’re not any good at the job you have.